[libvirt] [PATCH 2/3] qemu: Disallow usage of luks encryption if aes secret not possible

[Daniel P. Berrange]

On Tue, Jul 19, 2016 at 02:27:41PM -0400, John Ferlan wrote:
> Resolves a CI test integration failure with a RHEL6/Centos6 environment.
> 
> In order to use a LUKS encrypted device, the design decision was to
> generate an encrypted secret based on the master key. However, commit
> id 'da86c6c' missed checking for that specifically.
> 
> When qemuDomainSecretSetup was implemented, a design decision was made
> to "fall back" to a plain text secret setup if the specific cipher was
> not available (e.g. virCryptoHaveCipher(VIR_CRYPTO_CIPHER_AES256CBC))
> as well as the QEMU_CAPS_OBJECT_SECRET. For the luks encryption setup
> there is no fall back to the plaintext secret, thus if that gets set
> up by qemuDomainSecretSetup, then we need to fail.
> 
> Also, while the qemuxml2argvtest has set the QEMU_CAPS_OBJECT_SECRET
> bit, it didn't take into account the second requirement that the
> ability to generate the encrypted secret is possible. So modify the
> test to not attempt to run the luks-disk if we know we don't have
> the encryption algorithm.
> 
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
>  src/qemu/qemu_domain.c   | 7 +++++++
>  tests/qemuxml2argvtest.c | 4 ++++
>  2 files changed, 11 insertions(+)

ACK


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|